View Ticket
Ticket Hash: 799aae4e72a7c137979ba791698b79d610ad5119
Title: http::geturl hangs if certificate verify failed
Status: Open Type: Code Defect
Severity: Severe Priority: Immediate
Subsystem: Resolution: Open
Last Modified: 2022-08-28 21:56:25
Version Found In: >1.7.3
User Comments:
anonymous added on 2019-12-13 10:13:19:
The problem is more severe the older the http package is, but in its less critical form, it hangs when performing a post:

```
package require tls

package require http
http::register https 443 tls::socket

proc ::tls::log {level msg} {
    puts ">>>> $msg"
}

#set ::tls::debug 1

tls::init -cafile /tmp/kk.ca -tls1 true -require 1 -request 1


http::geturl https://self-signed.badssl.com -query a=b

puts OK
```

It shows:

```
VerifyCallback 1
VerifyCallback checking
VerifyCallback null callback
VerifyCallback returnning ok=0
SSL channel "sock5": error: certificate verify failed

<----- here it hangs
```

If instead of performing a POST, we use GET, it does not hang:


```
VerifyCallback 1
VerifyCallback checking
VerifyCallback null callback
VerifyCallback returnning ok=0
error flushing "sock5": connection reset by peer
    while executing
"http::geturl https://self-signed.badssl.com"
    (file "check.tcl" line 18)
```

But is just because in http module, the socket is flushed, and it fails:

```
  if {$isQuery || $isQueryChannel} {
      ...
      puts $sock ""
      fconfigure $sock -translation {auto binary}
      fileevent $sock writable [list http::Write $token]
  } else {
      puts $sock ""
      flush $sock
      fileevent $sock readable [list http::Event $sock $token]
  }
```

On isQuery mode (POST), there is no flush to trigger an error so it hangs.

I tracked the error to this commit: 

https://core.tcl-lang.org/tcltls/info/7df7a8696e009447

From that commit onwards, it always hangs.

anonymous added on 2022-08-28 21:56:25:
I'm getting the same issue but with the ldap module when verify certificate option is enabled.

Is there a workaround ? Disabling verify permanently is a security issue.